Why Hackers Love Universities

Colleges and universities tend to attract hackers like honey attracts flies, but there are some steps IT leaders can take to batten down the hatches.

I have headed up the network and computer security team at Columbia University for the last 20 years, and I can safely say that if you are at an institute of higher education, the bad guys are gunning for you. Our institutions have become excellent targets. Here are five main reasons that I believe are making colleges attractive to hackers:

1. Personal Data

Schools have students—often lots of them—and with those students come Personally Identifiably Information (PII). We collect social security numbers, passport data, credit card numbers and a host of other personal information, all of which is just what hackers want.

2. Lax Security Posture

If you peruse security journals, you will often see articles detailing that colleges do not practice good security hygiene. Whether this is true or not, it gives hackers the idea that universities are easy targets. On an average day, I see approximately 500 unique IP addresses scanning the Columbia network, with over 10 million scans. They are looking for misconfigured systems or accounts with simple passwords.

3. Schools Have Valuable Information

The libraries at Columbia spend millions of dollars a year on subscriptions to various journals and services. If bad guys can get hold of a student account, they can download this information and sell it, especially in countries that do not have access to these types of data feeds.

4. A School Email Address is Very Valuable

Nowadays, pretty much every email system has some form of anti-spam system set up to filter out the amazing volume of junk email. These systems work by looking at the characteristics of the incoming mail (we look at over 8000 different things) and then using a formula to decide if the mail should be delivered. Some rules can make the mail less likely to be filtered, and it turns out that one of the best measures of goodness is whether or not the mail comes from an .edu email address. Bad guys love to get hold of a valid student email address, as they can use it to send out spam that is almost guaranteed to get delivered.

5. Research Universities Have Research Data

This is kind of obvious. This data is valuable to companies, both foreign and domestic and can translate into a very large financial loss if stolen. Protecting this data is extremely hard, since the researchers own it, and it is often not held on the central systems.

Some Steps to Improve Institutional Security

I believe that you will see security vulnerabilities that influence multiple items on this list. There are a few things you can do to harden your targets and provide better overall security.

One of the first things I recommend is single sign-on with multi-factor authentication (MFA). Using passwords as the only protection against compromise is, in my mind, akin to an open-door policy for infiltration. The least common denominator for system access is people, and depending on a simple password, regardless of length or complexity, is an invitation to disaster. In this case, “simple” does not refer to the makeup of the password, but to the fact that it is the only thing between you and your data. Single sign-on will help leverage the power of MFA and prevent your users from committing mutiny.

After MFA, your next best friend will be encryption and data masking. Encryption is an excellent way to prevent stolen data from becoming a security breach, however it depends on understanding how it works and using the proper form in the right place. Full disk encryption, the type used on hard drives and mobile devices, will prevent data from being misused only if the device was turned off when it was stolen. It will not help if your computer is hacked while it is up and running. To protect data on an active system, you must use field encryption or data masking. This is a much more complicated process, as it requires the application to understand the altered data. Encryption is a powerful and therefore dangerous security technique—if you lose the password, you have lost the data.

Research data is the most complicated to protect, since it is often dispersed throughout the campus and not usually under the control of the central IT organization. It is also often hard to tell the difference between a legitimate sharing of data and the exfiltration of stolen data. One way to detect data that has been stolen is through software that allows you to track where your documents are being opened. You can even block the documents from opening if they are out a specified geofence.

Finally, I am a strong believer in a good email anti-spam solution. This should be used to filter both incoming and outgoing mail, since spam in outgoing mail is a good indication of a compromised account. I prefer a system that is highly configurable, especially for the elimination of targeted phishing attacks.

In any case, there is no such thing as perfect security, but with a lot of effort and smart choices, you can create an environment that is safe, secure and still allows the business of education to flourish.